The PGP passphrase I used for years (expired last year) was 21 words long, over 100 characters, made up of two separate sentences from different books, with a mispunctuation and a couple of nonstandard spellings. I still remember it after not using it for over a year, but I have to write down the 8 character randomly generated password for my work intranet login. Which is more secure, the one known only to me and recorded nowhere, or the one written down in a notebook somewhere? Time to use it isn't really an issue, since it usually takes me two or three tries to get the random garbage typed in right, while I type the phrase more quickly than my normal typing rate due to repetition.brianko wrote:Which do you want to remember (or type on a consistent basis): A 67-character English passage, or a 20-character password, or a seven-word passphrase?
The average person should be able to remember a 20-30 word phrase that is relatively difficult for others to guess. Anyone wanting to social-engineer my old phrase would have to know what books I last read 4-5 years ago and don't even currently own, and would still have to guess at the odd spellings and the punctuation error.
I use a few different passwords for just that reason; there are quick ones used for things that just aren't particularly damaging like forum logins, that are probably still more secure than a lot of people's bank account passwords, and there are tougher ones on my router and root account, and even tougher ones on anything where people could conceivably access financial information. Some of them are tough enough that I do keep them written down - in a text file encrypted with a new passphrase that might actually be a little more secure than the old one.Of course, it all boils down to how important you believe it is that you have a secure password. If you believe it's highly unlikely anyone will want to break into your system, then feel free to use a "weak" password. The problem, though, is that it's rather difficult to predict when someone will take an interest in you (sort of the same situation when you carry!)...
And, FWIW, the IT department at work distributes passwords via sticky note, usually stuck on the user's monitor for them to find when they get to work. I'm amazed that not even the pranksters around here have figured out the flaw in that system.